2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 12:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe
Size

83KB
MD5

e9f101f8def2d42e2b51cf68e3508160
SHA1

20a15da672e2a578fd151aa3edfa4519d6c432b7
SHA256

2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47
SHA512

ff12c5a8cd1e8236b8ce5073b26ef4b24654dd5c9cf42eb88535b4ef330679f6f379683eac6726ed4517e88b68589cd5bb843df35305e6d0ff7b6bd812cfeee1
SSDEEP

1536:lv/kDzjjSOQA8A0qUhMb2nuy5wgIP0CS3q+5yQBB8GMGlZ54:lvsbGhqU7uy5w9NMy6N54

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3680	[email protected]

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3380	5092	2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe	83
PID 5092 wrote to memory of 3380	5092	2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe	83
PID 5092 wrote to memory of 3380	5092	2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe	83
PID 3380 wrote to memory of 3680	3380	cmd.exe	84
PID 3380 wrote to memory of 3680	3380	cmd.exe	84
PID 3380 wrote to memory of 3680	3380	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe
"C:\Users\Admin\AppData\Local\Temp\2f5fdc726b39bc30e105d0b54b463b701385fdcb0dc6e1b0a46d0847230d9d47N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
83KB

MD5
b70a6a62f50e4f7733953601effc1aa5

SHA1
cff70c3c26760c3e154a5a6f3b535e2770258ed6

SHA256
25fe6b31d5757f572d490c2177e4d8aca20c4aff7f99e1fb5d4e39793cd21ac0

SHA512
451de8cbc023e742b074a469c99b5a91ef214ad2aa63e7573d9bec43afd5cd2769e36511f3823cdd321d9406260235b109829f687a59dd788a92353b76c5de90

Download Submit
memory/3680-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5092-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download